+ Security Management
Like all software, Horde sometimes has bugs that impact security. This page is an attempt to lay out procedures for handling them as gracefully as possible.
++ Reporting new issues
We ask that researchers and others who discover security problems report them to security@horde.org. As an all volunteer project there are no absolute guarantees, but the Horde Project will attempt to respond to all valid reports within 24 hours with an acknowledgment and requests for any additional needed information.
When reporting issues, please include the version number of Horde and all applications so that we can test the correct version from the start.
++ Timelines
The time required to release a fix will vary depending on the complexity of the issue. We will stay in communication with vendors throughout the development and testing process for fixes, and we ask reporters to stay in communication with the Horde Project (through the security@horde.org alias). Any help from reporters with testing fixes is doubly appreciated.
++ Confidentiality
Information provided by reporters is a courtesy to the Horde Project and will be kept confidential in order to do coordinated releases of both the disclosure and new fixed versions.
++ Early notification
In order to achieve a coordinated release with packagers that bundle Horde for distribution, a restricted mailing list is available: http://lists.horde.org/mailman/listinfo/vendor. Membership in this list is moderated and the archives are private in order to maintain confidentiality.
++ Release
Finally, we will coordinate new releases with the reporter and the vendor mailing list. Releases will clearly state that they contain security fixes.